Thursday, April 15, 2010

Group Scopes

In this post I will be going over Group Scopes in Active Directory with a quick run down of each.

Global Groups are bad hosts but great travellers. This means that they can only contain objects from their own domain but you can use them to set permissions on any domain as they can travel across trust links.

Domain Local groups are great hosts but bad travellers. They can be used to host objects from any domain, i.e. they can contain objects from other domains across trust links. However they cannot be used to set permissions on other domains, only the domain for which they exist.

Universal Groups are great hosts and great travellers. These guys can hold objects from any domain and can be used to set permissions anywhere. The reason this is possible is because universal groups are held entirely in global catalog. Because of this they should not be used wherever possible as it increases the size of the global catalog database.

There is one exception with Universal Groups, they cannot contain groups or objects from another active directory forest - only from domains within thir forest. Domain Local Groups can contain members from any forest or any domain. I can demonstrate this by trying to convert a Domain Local group to a Universal group that contains objects from another Active Directory forest through a Forest Trust or External Trust I receive the following error:

The following Active Directory Domain Services error occurred:Foreign security principals cannot be a member of universal groups.

By Foreign Microsoft means another forest or realm (could be OpenLDAP etc).